Getting Ready For GDPR

It is estimated by the International Association of Privacy Professionals and EY that Fortune's Global 500 companies will spend roughly $7.8 billion in order to ensure they are compliant with the EU General Data Protection Regulation (GDPR), which comes into effect in Europe in May this year. Whilst many of GDPR’s main concepts and principles overlap with the current Data Protection Act, there are some new elements and significant enhancements that will come into effect which brands and retailers need to be preparing for. With the May 25th deadline fast approaching, brands and retailers with operations in Europe will need to finalise what GDPR means to them operationally and opportunistically.

Getting to grips with the data

Firstly, it is important for retailers to understand exactly where their data is, and how it’s being used. Marc French, Chief Trust Officer, Data Protection Officer and SVP at Mimecast says that this is perhaps the hardest thing retailers will need to achieve in the entire process. Richard Potter, CEO at Peak, says “Businesses need to be able to show that they have looked at all of their data, that they are working to minimise the risk of any personal data being leaked, and that all analysis being performed is legitimate and justifiable under GDPR.”

Ric Calvillo, CEO at Nanigans, believes that retailers must work closely on this with their partners as well. Calvillo says “whilst working internally to account for their own GDPR compliance, ecommerce marketers should also ensure all their partners are compliant and contractual liability is clearly defined. A third-party vendor who either hasn’t taken steps to manage the regulation – or attempts to skirt it – should be a red flag to marketers that it’s time to put their trust, and the trust of their customers, in someone else.”

What’s next

Becoming GDPR compliant involves every facet of the business, from staff training, to data security audits and everything in between. For larger organisations, Ryan Donovan, EVP Product at Sitecore feels its imperative to appoint a Data Protection Officer to help build the internal awareness. This includes hosting training sessions to educate staff on the new rights the GDPR introduces, and helping employees understand how their roles and responsibilities will be affected moving forward.

When it comes to customer marketing, Tim Haynes, CEO and Founder of Databoxer believes that brands should be looking to 'repermission’ their marketing mailing lists. “Many brands, even those that follow current best practices for mailing list signup, will find they don't have the level of consent required under the GDPR to continue sending marketing to their lists. Brands should be acting now to 'repermission’ their lists so they can send confidently after May 25.” He also highlights that it’s important brands make the task of ‘giving permission’ for consumers as easy, transparent and painless as possible, stating clearly why the brand wants customer data, and what the brand intends to do with it.

Alastair Johnson, CEO and Founder of Nuggets, believes that whilst retailers are preparing their business for GDPR-compliance, they must also plan process for when things don’t go right, for example, exactly what happens if a data breach occurs. “This is important because it could have a big effect on the fine that a company receives if data they ‘own’ is hacked.” He says retailers must also understand how they will delete personal data should a consumer request this. “Whether you believe GDPR is the right solution for this or not, the changes being implemented are meant to strengthen personal data rights. This includes the option to request deletion from company databases, which businesses will need to answer swiftly or face penalties for not complying.”

What retailers fear most

Typically, regulations are more focused on the backend of organisations and lesser-known to consumers but GDPR is unique in that respect as it is very much at the forefront of consumers’ minds. Efrat Kanner-Nissimov, Marketing Director at NICE believes that the real risk here is that as consumers hear more about it, they understand their rights and feel empowered to act upon those rights. She says, “the biggest risk is if consumers ask to exercise their rights (such as the right to be forgotten) and the organisation does not have dedicated capabilities to support these requests. This will immediately receive high exposure, potentially leading to brand reputational damage, lawsuits and of course very high fines from the regulators.” Joe Rohrlick, EVP and General Manager EMEA at Bazaarvoice believes that as people become more aware of their rights under GDPR, retailers may find that consumers are less willing to accept contact if they cannot trace it back to some form of opt-in.

As the marketing landscape has increasingly moved into an era of personalisation and seamless customer experiences across multiple touchpoints, Sylvia Jensen, Vice President of Marketing EMEA at Acquia thinks that the biggest challenge is that the “right to be forgotten” will make it tougher for brands and retailers to stand out in their respective markets through personalisation and therefore making it more challenging to offer the superior customer experience across digital platforms.

It’s not all bad news..

Whilst there is clearly a lot of work ahead for retailers, many are optimistic that GDPR also brings along a great deal of opportunity too and that the call for transparency is indeed a positive one. “This process will likely result in better relationships between advertisers and those consumers they’re ultimately targeting via publishers. Those who take the necessary steps to proactively understand their users and then build an interaction with their customers that makes sharing data feel instinctive, will be better off in the long run,” says Ric Calvillo, CEO at Nanigans. Marc French of Mimecast agrees, “whilst some are concerned that the new consent rules for marketing engagements will be a burden by reducing the actual number of potential leads, many don’t recognise that the quality of these leads will go up exponentially. These leads are from people who said they want to hear from you. Take advantage of that and engage.”

Many believe that the GDPR deadline is proving to be a catalyst for marketing and e-commerce transformation and ultimately will enable deeper customer relationships for some. A recent survey Sitecore conducted with Vanson Bourne shows more than four in ten (45%) consumers are willing to provide data to brands to an increasing extent, in order for brands to personalise their experience. “Today’s consumer’s understand the benefits of providing specific data to brands and retailers, as long as the brand or retailer uses it to provide them with better, more personalised experiences,” says Sitecore, EVP Product, Ryan Donovan.

Mika Yamamoto, Chief Digital Marketing Officer at SAP believes that retailers that are best prepared are investing in data platforms and process to enable personalised and enhanced customer experiences centred on giving customers greater control over their data. She says, “due to GDPR, we’re seeing increased focus on these investments from brands and retailers as they not only see this as a necessity to avoid legal action, but more importantly as an investment in protecting their brand reputations and equity. With this focus, retailers are also using the opportunity to invest in improved customer access to their profiles, innovative cross-channel journeys and authentic personalised experiences – a must to differentiate for today’s digital consumers.”

Bazaarvoice’s Rohrlich feels that GDPR is ultimately a reflection of a growing consumer and societal value placed on transparency and authenticity. “We understand the value of our data and we want the power to choose how and if it is used. I expect that consumers will forge the next generation of brand loyalty and affinity based in part on the brands they believe they can trust – and trust with their data.”

You don’t have to do it alone

There are many routes that retailers can use when looking for solutions and partners on their GDPR journey.

Bazaarvoice’s EVP and General Manager for EMEA, Joe Rohrlich highlights that there is infact a wealth of good advice available to get businesses started and much of it is free of charge. He advises retailers to visit the Information Commissioner’s Office (ICO) website before engaging with any GDPR specialists or legal advisors and continue to refer to it to stay informed, even once outside help has been engaged.

Acquia provides brands and retailers with products in order to be GDPR ready and compliant on the technical side of their digital business. And Peak, for example has developed an AI-powered GDPR solution, designed to help businesses get on the right track towards compliance. “Our platform ingests your existing data, picks out the personal identifiers, maps the data and automatically performs a risk assessment. It’s a continuous model, too, which means it constantly assesses your data and flags risks, giving you a high level view of what data you have and what you’re able to do with it,” says CEO Richard Potter.

And there are more solutions heading our way in the near future. Whilst Blockchain may be the latest buzzword attached to almost every digital news item at the moment, in the area of personal data storage, it could have a truly transformative effect. By storing personal data securely on a blockchain, consumers can control their information and only choose to share it with third parties temporarily or even better not at all for transactional purposes. There would be no need for brands and retailers to store, manage or process data, making any operational changes driven by GDPR requirements unnecessary. One business that is pioneering solutions of this kind is Nuggets, the blockchain-based e-commerce payments and ID platform that stores consumer personal and payment data securely in the blockchain, so consumers can make simple e-commerce payments and other transactions, without having to share their personal data with anyone – not even Nuggets. That means no more data breaches because companies don’t have to store consumers’ data.